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Abstract — This papeijj presents an efficient approach to an 
existing batch verification system on Identity based group sig- 
nature (IBGS) which can be applied to any Mobile ad hoc 
network device including Vehicle Ad hoc Networks (VANET). 
We propose an optimized way to batch signatures in order to 
get maximum throughput from a device in runtime environment. 
In addition, we minimize the number of pairing computations 
in batch verification proposed by B. Qin et al. for large scale 
VANET. We introduce a batch scheduling algorithm for batch 
verification targeting further minimization the batch computation 
time. 

I. Introduction 

VANET is recently a very popular direction for research 
targeted to proper safety and efficiency in transport 
management systems. High mobility, high speed of vehicles, 
fast topology changes, and sheer scale are some characteristics 
that establish VANET as an intensive research point different 
from other types of ad hoc networks. Recently some security 
hardwares are introduced to VANET vehicles which makes 
it feasible to implement robust cryptographic tools [3 ) . For 
example, Event Data Recorders (EDR) which record all 
received messages s.t., position data, speed data, acceleration 
data, time etc.; Tamper Proof Devices (TPD) which provide 
the ability of processing, signing and verifying messages, 
protect hardware from tampering by a set of sensors, possess 
its own battery and clock, etc. Vehicle manufacturers along 
with telecommunication industries are encouraged to equip 
each car with On Board Units (OBUs) that allow vehicles to 
communicate with each other, as well as to supply Road Side 
Units (RSUs). The OBUs together with RSUs of a vehicular 
ad hoc network (VANET) help to broadcast messages to 
other vehicles or transport system terminals in their range. 
It is a serious threat to privacy if attackers can track the 
drivers' geographical position, identity, or his driving pattern 
by monitoring vehicular communication |5|. Alternatively, 
there is no way to identify rogue vehicles, if the network is 
completely anonymous. 

Conventional signature verification mechanisms might 
not be sufficient to satisfy the stringent time requirement in 
VANET. For example, in a VANET environment hundreds of 
vehicles are connected to one another at any time instance 
and each of them may send messages every 100-300 ms 
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within a period of 10 s travel time. Therefore, a vehicle 
needs to verify hundreds of message signatures per second 
0. Although only one signature is received by Dedicated 
Short Range Communication (DSRC) transmission at a time, 
a large number of signatures are buffered at receiving station. 
According to [8], consumption period of a DSRS transmission 
is too shorter than that of verifying a signature. For this 
reason, verifying a huge number of messages one after one is 
impractical and may cause bottlenecks at TPD in the vehicle. 
Moreover, some signatures might arrive from emergency 
vehicles like ambulance, petrol police, security van etc. that 
incur urgent response (short due time) from the receivers. As 
a consequence, many messages coming from other vehicles 
may be discarded due to time constraints or proper scheduling. 

In order to deal with all the challenges mentioned above 
[2,4-7], a number of batch verification mechanisms have 
been proposed [1,10,11]. In this paper, we consider the batch 
verification described in HI that was designed for large 
scale VANET. They introduced several features like (i) an 
Identity based Group signature with easy-to-manage smaller 
groups, (ii) Revoking the anonymity of signatures by Open 
Authority in case of disputed or suspected forged messages, 
(iii) A selfish verification mechanism to speed up signature 
processing. We use the same group signature mechanism 
in (9) as IT] used to provide anonymity and traceability. 
To alleviate the burden of signature verification, we further 
improve batch verification described in HI. For example, we 
reduce the calculation of pairing from 1 1 to 3 per signature. 
In addition, we introduce a batch scheduling algorithm to 
reduce the time consumption of batch verification at a greater 
extent. Besides that we include revocation procedure if the 
message is doubtable to be corrupted. 

The remainder of the paper is organized as follows. In sec- 
tion II, background and preliminary knowledge related to the 
proposed research are given, including network model, basics 
of batch verification, and security requirements. In section III, 
IBGS scheme used in this paper is described in detail. Section 
IV discusses the proposed batch verification scheme including 
batch size and signature scheduling algorithm and doubtable 
message verification technique. In section V, security analysis 
and performance evaluation are presented in brief. Finally, 
section VI concludes the paper. 
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Fig. 1. VANET Network Model 



II. Preliminaries 

A. Assumptions. 

We assume that Trusted Escrow Authority (TEA) is fully 
trusted. Other entities e.g., Vehicles, Group Managers (GM), 
and Opening Authority will need to register before operation. 
Registration of the vehicle may include the vehicle's number 
plate, identity, and driver information to recognize the vehicle 
and its owner uniquely. However, GMs are well trusted since 
Access Networks are usually set up in an open environment 
which is vulnerable to security breaches. That is why, TEA 
should check the security parameters of the GMs periodically. 

B. Network Model. 

Our network model is shown in Fig. 1., where On-Road 
unit refers to the units on the roadside e.g. vehicles, Access 
Network Manager. Groups can be formed in many ways. For 
example, by region or area where the vehicles are regis- 
tered e.g., New York city, Tokyo city etc.; by social spot 
e.g., shopping mall, official zone, military zone, educational 
institutions etc.; by category of the vehicles e.g., personal 
cars, ambulance, police cars, fire trucks etc. These groupings 
help in applying policy to manage the vehicles intelligently. 
This is a hierarchical network, from TEA to vehicles. All 
the vehicles are attached, accessed and managed by Group 
Managers and Group Managers are subsequently attached 
to TEA. Alternatively, Traffic Security Division is attached 
with both Off-Road and On-Road units simultaneously. TEA 
is responsible for issuing key, revocation. Each device need 
to be equipped with On Board Unit (OBU) consisting of a 
temper proof device(TPD), Global Positioning System (GPS) 
an Event Data Recorder(EDR). Usually a Road Side Unit has 
DSRC with a vehicle's OBU. All communications such as 
Vehicle-to- Vehicle and Vehicle-to-AccessNetwork should be 
time synchronized. 



C. Batch verification. 

1) Small Exponent test: M. Bellare et al. [10 1 gave the first 
idea about fast batch verification on digital signatures. They 
proposed Small Exponent test for batch verification. 

. Choose Si....S n e {0,1}' 

• Compute a = Y^j=i a j$j m °d Q an d y = 
where aj , yj E Z q 

• Check whether it holds: g a — y. if yes accept, else reject. 
We can expect low error from the Small Exponent Test if we 
choose 8i....8 n from a large domain. 

2) Basic Batch Techniques: A.L. Ferrara et al. ifTTI pro- 
posed 3 techniques to develop an efficient batch verifier for 
bilinear equation which is applied in our scheme. Here are 
their techniques in brief: 

• Technique 1. Sigma-protocols, usually called 2~2~ 
protocols, have three move structures: commitment, chal- 
lenge and response. This is one of the implementable pro- 
tocols of Proof of knowledge. These three steps degrade 
the verification mechanism worse. Ferrara et. al. suggest 
to reduce it as (commitment,response) policy to achieve 
much more verifiable equations. For pairing, they propose 
two sub-steps: 

- Check membership: Only elements that an adversary 
could attack need to be checked. Public parameters 
need not be checked, or it can be checked once. 

- Small Exponent Test: Perform the test to combine all 
the equation into one. 

• Technique 2. Move the exponent into the pairing, for 
example, Replace e(gi,hi) s with e(gf ,hi). It speeds 
up the exponentiation process. 

• Technique 3. If two pairing with a common elements 
appear. It will reduce n pairing to l.For example, replace 
m=i<9f,h) withe(IT7 =1 sf,/0 

D. System Security Requirement. 

VANET is concerned with public safety and vehicle privacy. 
An attacker who usually observes and analyzes the traffic in 
the network is called passive or external attacker. However, a 
compromised vehicle or device, called an internal attacker, 
can be more influential. An IBGS scheme in a VANET 
environment needs to ensure correctness, anonymity, trace- 
ability, nonframeability, revocability,liability and scalability 
as security and system requirement. We will give a brief 
description of these properties. 

• Anonymity. A signature scheme is anonymous if no PPT 
adversary can identify the message originator by mon- 
itoring the communication between vehicles or access 
points as a passive attacker. According to privacy require- 
ments, vehicle and owner information needs to be secret. 
Anonymity mechanism ensures that any identification 
related to vehicle will not be advertised or be traceable 
except in some special situation by some designated party. 

• Revocability. If the vehicle doubts a received message 
with a valid signature then it should be able to send 
the message to the verifier to judge identification of the 
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message sender and hence revoke a malicious signature. 
Unfortunately this is a threat to privacy, but for the sake 
of public safety, personal privacy needs to be sacrificed. 
If anonymity is realized without any revocability mech- 
anism, an inside attacker can anonymously broadcast 
forged messages to other vehicles, which may seriously 
degrade public safety and system reliability as well. 

• Liability. Liability demands that the sender of the mes- 
sage should be responsible for the message generated. 
Authentication, integrity and nonrepudiation must be sup- 
ported in the network to ensure liability. 

• Traceability. A scheme is traceable if any polynomial- 
time attacker has only a negligible probability of produc- 
ing a valid group signature such that the output is not the 
identity of the group signature originator. 

• Correctness.The signature scheme is correct if it has 
verification and opening correctness. 

• Scalability. In a densely populated metropolitan area, 
every day hundreds of vehicles are registered, stolen, and 
loose secret key. It entails extra job of message signature, 
verification, judging etc. while preserving all the security 
requirements. Therefore, it is essential for the network to 
be scalable for smooth management. 

• Non-frameability. It requires that the attacker be unable 
to created a judge-accepted proof that an honest user 
produced a certain vald signature unless this user really 
did produce this signature. 

III. VANET BASED IBGS 

An ID based group signature scheme [9|, where there are 
group managers, group members, and the Open Authority, pro- 
vides a full traceability, a full anonymity and non-frameability 
as needed for VANET application. Thats why, (TJ chooses (9j 
for large scale VANET. We summarize [9] as follows: 

A. Setup(l l ). 

Let a security parameter ,p is a prime and finite cyclic 
groups Gi = (A) and G2 = (B), where there exist a 
computable isomorphism \& = Gj — > G 2 and a non-degenerate 
bilinear pairing e : Gi x G 2 -> G3. For initial setup TEA will 
do the followings: 

1) Set 3J= (p,Gi,G 2 ,G 3 ,yl,B,e) 

2) Choose A 1 ,A 2 ,A 3 ,A 4 ,A 5 eGx 

3) Define cryptographic function 

. Hy : {0, 1}* Gi for Vehicles 
. H : {0, 1}* ->■ Gi for TSD 
. H R : {0, 1}* -> Z* for GM 

• H : {0, 1}* — > Z* for vehicles to compute or, to 
verify challenges. 

4) Generate private Key (xt) G Z* and 
public key (K T ) = B XT G G 2 

5) Finally, produce the system's public parameter: 

param = (U, A u A 2 , A 3 , A A , A 5 , H v , H Q , H R , H, K T ) 



B. Key Generation. 

TEA generates private keys for all the entities in the system 
including vehicles, GMs, and TSD with the identities they 
provide. 

• GM: With the identity of GM ID R , TEA generates 
private key x R — r + H r (C\\ID r )xt mod p where 
r G Z* and C = B r . TEA issues (C, x R ) to each Group 
Manager. It is to mention that TEA provide the additional 
string C to all the GM to register with corresponding 
vehicles. 

• TSD: Private key xo = Ho{IDo) XT where I Do is the 
identity of TSD. 

• Vehicle: Private key xy — Hy(IDy) XT where IDy is 
the identity of a vehicle. 

Vehicles need to complete registration with their corre- 
sponding GM. GM firstly runs a proof of knowledge of 
vehicular private key xy for its Identification without any 
information leakage. Additionally GM sends the additional 
string C as it got from TEA. It also manages a registration 
table or database to entry the vehicle as a group member. 

C. Group Join Protocol. 

TEA is the only trusted authority. Before joining the group, 
a vehicle has its ID and secret key generated from TEA. To 
get a membership certificate a vehicle needs to perform a 
protocol with the certificate issuer called GM as shown in Fig. 
2. At the end of the protocol, a vehicle becomes a member of 
the group and obtains a membership certificate (D,t,C) as a 
Group Signing Key. GM computes W which is stored in the 
database for future use. In case of irregular behavior, W will 
help TSD to reveal the identification of a vehicle. 

D. Signing and Authentication. 

A registered vehicle under a group having a secret key xy 
and Group Signing Key(D,t,C) can anonymously generate 
a signature T on a message M. At the same time, it allows 
TSD, or Open authority to open the signature if needed. 
Detailed descriptions are as follows: 

1) Choose si G Z; and set (r , r x , r 2 , r 3 , r 5 , 8 2 ) = 

, xyAl 1 , Hy(ID v )A s 2 1 , DA^ 1 , T*^ 1 , ts x mod p) 

2) Choose d G Z* and set (yi, V2) = 

(e{H v {IDv),B)e{Ho(IDo),K T ) d , 3 d ) 

3) Select randomly (ri, ra, r^) G Z* and 

i?2j R3) G Gi and compute 

(V , iM? , R2A? , R 3 A r 3 > , Tl 3 A2 , B^) 
. (fa fo,0B) = {[e(A 1 ,B)- 1 e(A 2 ,K T )] r \e(A 3 ,B)^ 
[e(A 3 , S)e(A 2 A A , B)} r \e(H (ID ),K T )^e(A 2 ,B) 

4) compute / = i7((ro,r 1 ,r 2 ,r 3 ,r 5 )||c||D 1 ||v 2 ||M|| 

(A), 01, 02, 03, 0i, 05, A>, 07, 0S)) 



Vehicle (x v ) GM (C,x R ) 

Run Proof of Knowledge for 

Compute D = A 5 /H v (ID v ) 1/{t+XR) t G Z* 

Compute W = e(H v (ID v ),B) 

Record (IDy, D, t, W) for future use. 

{£>,*, C) 

Check validity of C [?] and accept if 

e(A 5 , B) = e(D, Bfe(D, S)e(H v (ID v ),B) 
holds for S = CK t Hr{CIIIDr) 



Fig. 2. Group Joining Protocol 



5) Compute 

. (zq, Zi,z 2 , z 3 ) = (ri - fsi mod p, 

r 3 ~ ft mod p, r 2 — fs 2 mod p, — fd mod pj 
. (Z 1 ,Z 2 ,Z 3 ) = (R lX y f ,R 2 H v (ID v )-f,R 3 D-f) 

6) Signature for batch verification 

t = (r a , r ll r 2 , r 3l r 5 )\\(z , z Xl z 2 , z 3 , z x , z 2 , z 3 )\\f\\ 

C\\Vi\\V2\\(flo, fa, fa, fr, fo)\\S) 

E. Individual Message Verification. 

After getting a signature T, a vehicle verifies the signature 
as follows: 

. Set (r 4 ,r 6 ,r 8 ) = (e(T x ,B)- x e(T 2 ,K T ), e(A 5 ,B)- 1 

e(T 3 ,S)e(T 2 T 5 ,B), V l e(T 2l B)- 1 ) 
. Compute S = CK t Hr{C]]IDr) 
. Compute {0 Q ,0i,02,03,05,07) = 

(a*° y{,z x a? r{ ,z 2 Af r f 2 ,z 3 A Zo r^r|M|° r(,B^v 2 f ) 

. Computed, 6 , S ) = ([e(A t , B)~ l e(A 2 , K T )] z °v{, 
e(A 3 ,B)^[e(A 3 ,S)e(A 2 A 4 ,B)] Zo r f 6 , 
e{Ho{ID ),K T y° e{A 2 ,B)-*°rf) 

. Check / = H^To^^T^T^WCWv.WV.WMW 

{0 O ,0i,02,0s,0i,0s,06,07,0&j) 
If the hash check is successful, then the message will be 
accepted; otherwise rejected. 

IV. The Proposal 

We start with VANET based IBGS scheme described in 
section III and reconsider the signature generation in JT] to 
remove some redundant part^] Then, we modify the ver- 
ification algorithm to apply an efficient batch verification. 
Finally, we propose a batch scheduling algorithm to gear up 
the verification in a runtime environment. 

A. Modified Signature. 

We follow the same signature in section EH, but modify 
the final part of signature. Here we describe the only the 
modified portion. A signer who possesses group signing key 
can anonymously generate a signature on a message M. 

2 Size of the signature in (T] is larger than |9 |. 



• Compute (04,06,0s) as section III. 

• Modified signature will be: 

T' = {T ,T 1 ,T 2 ,T 3 ,T 5 )\\(z , zi, z 2 , z 3 , Z 2 , Z 3 )\\ 
(0 i ,06,0s)\\f\\C\\v 1 \\V 2 

B. Modified Individual Verification. 

We have observed that (04,, 06,0s) is the most expensive 
part of the verification. In section III, we gave the verification 
mechanism of [ 1 1 which is modified here according to the 
above signature T' to reduce the cost of individual verification. 
To verify signature T' of a message M one can perform the 
following: 

. Compute S = CK t Hr(CIIIDr) 

. Compute (0o, 0i, 02, 3 , 05, 07) = 

(A z °T f , Z 1 Al a r{,Z 2 A z 2 'T{,Z 3 Al''Ti,T z /Al'>Tl B*°V 2 f ) 

. check / = iy((r ,r 1 ,r 2 ,r 3 ,r 5 )||c f ]j^ 1 i|v 2 j|ikr|| 

(00,01,02,03,04,05,06,07,08)) 

. Verify (04,06,0s) = 

([e(Ai, B)~ 1 e(A 2 , K T )] Z » [e(Ti, B) _1 e(r 2 , K T )]f, 
e(A 3 , B)*» [e(A 3 , S)e(A 2 A A , B)] z ° [e(A 5 ,B)- l e(T 3 , S) 
e(r 2 r 5 , B)]f ,e(H (ID ),K T ) z °e{A 2 ,B)- z ° [v 1 e(T 2 , B)~ 
Compared with the verification mechanism of HI, we noticed 
that (r 4 ,r 6 ,r 8 ),5 and (0 , X , 02, 03, 05, 07) are not neces- 
sary to be included in a signature, and thus, signature size is 
reduced. 

C. Modified Batch Verification. 

The scheme in [ 1 1 exploits the techniques of [ 1 1 ] keeping in 
mind that a multi-base exponentiation (pairing) takes a similar 
time as a single-base exponentiation. Let a VANET device 
receives n message-signature pair (Mj,T'j) where T/ = 

(ro,i,ri il ,r2,i,r3 !i ,r 5ii )||(/34 :i ,/3 6:i ,/3 8!i )||/ i ||c i ||wi ii ||V2, l || 

( z 0,i, z l,i, z 2,i, z 3,i, %2,i, Z 3 i ). 

. Compute S = C K T H r{c]]i D r) once, because all vehi- 
cles share the parameters C, ID R , Kt [Technique 1, in 
section 2.] 

• For all i = 1 n compute the non-pairing 
equations: (0 o ,i, 0i,i, 02,i, 03,i, 05,i, 07,i) = 

(A*°r* z hl A?-r^, z 2 ,A^r^, z 3 ,\: r*,r£ 

ATn\ v B^vt) 



• For each i = 1, , n check the following: 

/i = fl-((r 0ii ,ri ii ,r2,i,r 3 , i ,r 6ii )||c , i ||t;i, i ||V2 >i ||M, 

^2,ii /?7,i) 

• Before starting a batch verification, we can simplify the 
equation as follows: 

/3 4 = [e(A 1 ,B)- 1 e(A 2 ,K T )} Z0 [e(T 1 ,B)- 1 e(T 2 ,K T )} f 
= e(A 1 - Zo ,B)e(A 2 Zo ,K T )e(T 1 - f ,B)e(T 2 f , K T ) 
= e{A x - Z0 Y^ f , B) e{A 2 z °T 2 f , K T ) 
fa = e{As,B)" [e(A 3 , S)e(A 2 A i , B)] z »[e(A 5 , B)- 1 
e(T 3 ,S)e(T 2 T 5 ,B)}f 
= e(A 3 z * , B)e(A 3 z °,S)e(A 2 z °A 4 z °,B)e(A 5 -l , B) 

e(T 3 f,S)e(T 2 fT 5 f,B) 
= e{A^A 2 Za Ai Z0 A 5 -fT 2 fr 5 l,B) e(A 3 Zo T 3 ^,S) 
P 8 = e(H (ID ),K T ) z ° e{A 2 ,B)- z "[v 1 e^S)" 1 ]/ 
= e([H (ID )} Z6 ,K T ) e{A 2 ' Za ,B){ Vl f) e(T 2 -f,B 
= («i0 e{A 2 - z °T 2 -i\B) e{[H (ID )] z \K T ) 
. Let & = A-i~ Zo T^ f , 
ik^A 2 Za T 2 i, 

( b = A 3 z sA 2 z °A i z °A 5 -tT 2 fr 5 f, 

C s = A 3 z °r 3 f, 
Xb = A 2 ~ z °r 2 -f, 

Xk = [H {IDoT 
. Hence (f3 4 (3 6 (3 8 ) 

= (e(6, B)e(&, ^T)e(Cfc, B)e(C„ 5)e( Xfc , B) 

e( Xfc ,^T)(«i / )) 
= (e(Cb( b ,B) e(^ Xk ,K T ) e({ s , S)( Vl f)) 

• Applying Technique 1,3 in section II, choose the random 
vector (Si,...., Si) where Si E Z p ; and check the 
following pairing equations Vt = 1, , n: 

n^i 

= e (nr=i s i€b,iCb,i, b) e(n™ =1 5^,%%^%, kt) 
e (nr=i 5) (niLi^i/*) 

For simplicity let: 

Qi = SiCa.i, K ; = 6i£k,iXk,i and ^ = tfiUi,/' 
Hence, Uti Mi - e(TT7 =1 B ; , B) e$ft =1 K u K T ) 

e(n?=iQi.5)n?=i^ 

If the above equation is satisfied then verification is 
successful; otherwise not. 

D. Doubtable Message Verification. 

Consider the verifying entity receives a message which has 
a valid signature but the message is doubtable to be forged. It 
might happen if the signer's secret key is compromised. If the 
message is found to be fraudulent then usually the certificate 
of the compromised signer is revoked and the revocation list 
updated. In fl] the authors suggested a tag specifying the 
lifetime of the GM's public key. TSD has the right to open 
the encryption in the signature. To trace the actual signer of a 
given signature T, TSD does the following: 

• The verifier submits the message M with its correspond- 



ing signature T to TSD which computes: Vi/e(xo, V 2 ) = 
e{H v {ID v ),b)=v 

• TSD compare v with the entry in registration table. If 
no entry is found, output _L; else computes proof of 
knowledge oj s.t. e(xo, V 2 ) = v\Jv to justify. 

1) Select (so'i^o'^i') € Z* and compute : 
(r^r' l7 r 2 ) = (x A s ° ,e{A,V 2 y« ,e{A,B) s °') 

2) (ft 0> ft,ft 2 ) = (Ho(ID ) ri 'A r °',e(A,V 2 y<>', 
e(A B) r ° ') 

3) Compute /' = H ((r' , r' x , T> 2 ) \ \ (ft , ft , (3> 2 ) | 1 v x \ \ V 2 , v) 

4) (V, = (r ' - /'s '), H (ID ) ri ' x f ) 

5) Outputs the proof: u = (r o ||/'||(z ', z/)) 

Justification: GM or, corresponding vehicle now can check 
the validity of the proof u whether ID is the real signer of 
corresponding signature T for message M. 

• Compute: (v, v') — (e(Hy(IDy), B),v\/v) and 

• (ri,r' 2 ) = (e{Y' Q ,V 2 )/M',e{T{ ) ,B)e{H {IDo),K T ) 
. = { Zl ')T'/ A z °' ,e{A,V 2 ) z °'T'/ , 

e(A, B) Z °'V'/) 
. Compare: /' = H((T' , T[, T' 2 ) \\(ft , ft, ft)\ \ Vl \ \V 2 , v) 
If the above equation holds, the verifier will be assured about 
the message signer" s ID as a real signer, hence justified. 

E. Batch Scheduling. 

In a VANET environment, signatures arrive sequentially 
with respect to time. OBU usually processes the signature 
First Come First Serve (FCFS) basis. But we cannot apply 
FCFS for n number of signatures, because sometimes 
prioritized emergency data like message from fire service 
vehicle, ambulance etc. might be arrived with lower deadline 
and/or higher weight value. That is why, it is practical to 
process the signatures according to their priority. In the 
proposed algorithm, we consider due time of each signatures 
by which it can be scheduled to get faster response and 
we also introduce the parameter weight for each signature. 
By default, weight could be a fixed value for example- '1'. 
But in special cases, it might have some different value 
which results providing higher priority to certain vehicles 
e.g., vehicle of prime minister, doctors etc. In addition, we 
can make different groups of vehicles with different weight 
as a parameter e.g., public service buses, personal cars etc. 
Besides these, it is obvious that if we increase the batch 
size n, it will give us more optimized computation time 
for n signatures but also increases completion time Ci of 
individual signature. Therefore, there is a trade-off between 
the batch size and completion time. Choosing the value of 
n is not easy task. For example, the value of n during rush 
hour at downtown could be greater than off-peak traffic 
times, or the same at uptown. For the batch verification of 
size n, a vehicle needs waiting for n signatures to arrive 
to commence verification. However, we can utilize idle 
time (waiting time) with partial computations of incoming 
signatures as it arrives while batch verification continues. We 
carefully observe that the right side of each batch verification 
pairing: e(J[" = i Bi, 5), e(T]? =1 Ki, K T ), and e(Itf =1 Qi, S) 



is common which contribute to partial computation of left part 
for consecutive signatures. So, we will discuss the scheduling 
of signatures for partial computation and hence devise an 
algorithm to find an optimal number n of signatures to be 



batched at a time. That's why, We split the 
pairing verification into 2 parts: 



signature's 



• Verification Part 1: Compute Mi, Bj, Kj, Qi, and ^ 

of corresponding signature with single machine schedul- 
ing policy as it arrives. 

• Verification Part 2: Compute and verify: 11™= i Mi = 
e(nr=iBi,S) e(Uti^K T ) e(n? =1 Qi,S) EHU * 

At first, we consider Single Machine Scheduling Problem 

with Release Times and Identical Processing Times for batch 
scheduling lfl4l : where the release times, due dates, and 
sequence-dependent set-up times of jobs are taken into con- 
sideration. The objective is to find a feasible set of jobs which 
are to be completed before or at their deadlines. Secondly, an 
algorithm is devised to find the optimal number of signatures 
to be processed in a batch. 

Suppose that there are n signature verifications Ji (i — 
1, n) to be scheduled, and each signature has a release time 
Ti, a due time di, finishing time for verification part 1 C< and 
the processing requirement of part 1 by p;. A total schedule 
is expressed as a set X of signatures such that the total weight 
J2iex w i * s max i mal - Besides that, we assume that processing 
times for all the signature verification part 1 are same: p t = p 
for all i where p is an arbitrary integer and r*j + Pi < di. 
Signatures are indexed in a non-decreasing order of due time 
di. If the release times r*j are not multiples of p problems, 
it becomes more complex than problems with unit processing 
times pi = 1. Such kind of scheduling problem is called: 
l|r,;pj — p\J2 w iUi where U stands for Unit penalty per late 
job in the standard scheduling terminology. 



if Ci < di 

1 otherwise 



Example: 1 1 ; p = p with given release time 

and pi = p = 2 



due time eL 
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Lateness Li := (C\ — di) 
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A schedule for subset X is feasible if and only if: 

1) All signature verification part 1 set X start after or at 

their release date and are completed before or at their 

due time, and 
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Fig. 3. Instance for l|rj;pj = p\ 

2) They do not overlap in time. 
An optimal schedule will exist if each computation of the 
signature verification part 1 starts at a time belonging to the 
set. 

T := Ti + Ip | i = 1, n; I = 0, n — 1 

Let S be an optimal schedule with «i, ^2, *n order. It can 
be transferred to a feasible schedule; for example i v can be 
shifted to the left until its release time and due time (r v ,d v ) 
coincide. 

For any integer k < n and s,e E T with s < e. Let Uk(s, e) 
be the set of verification part 1 i < k with s < Ti < e. and 
W£(s, e) is the maximal total weight of a subset of Uk(s,e) 
with 

1) S is idle before s + p and after e 

2) The start time of all i € T 

Algorithm 1 Signature scheduling (l\r t ;pj =p\J2 w iUi) 
INPUT: r~d~p~i 

OUTPUT: Feasible schedule of signatures with maximal 
total weight Wk(s, e). 

1) Enumerate the signatures s.t., d\ < d2 < ... < d n \ 

2) Vs, e e T with s < e : W ( Sl e) := 0; FOR (k = 1 TO 



n) 
Vs, 

W k (s,e) 



Vs, e G T with s < e 

Wk-i(s,e) if r k £ [s,e) 



s{Wk-i (s, e), W^(s, e)} otherwise 



where 

fma:r{w fc + W fc _i(s,s / ) + Wfc_i(s',e)} 
such that s' € Ti and 
moijrt, s + p} < s' < min{dk, e} — p; 

3) Calculate W n (s, e) := ( min t — p, max t) for feT 

Theorem 1: For k = 0, n and Vs, e e T such that s < e 
the equality W k (s,e) = W£(a,e) holds fl4l . 

For each value of k,0(n 4 ) values of W k have to be com- 
puted. As T contains 0(n 2 ) elements, overall time complexity 
of this algorithm is 0(n 7 ). However, when release and due 
dates of jobs are ordered similarly ([r; < r^+i] [di < rfj+i]), 
the same problem is solvable in 0(n 2 ) with a dynamic 
programming algorithm in fTGl . In VANET environment, if 
we do not consider any prioritized message/signature, we can 
adopt the algorithm in lfl6l . 



In ifTTl . authors present a modified tabu search algorithm 
that also schedules n jobs to a single machine in order to mini- 
mize the maximum lateness of the jobs. The objective function 
of the scheduling problem is to minimize L max (H) = max Li, 
where Li = Ci — dj. A total schedule is expressed as a set 
II = {ir(l), 7r(l), 7r(n)}, where ir(j) is the index of the job 
in position j of the schedule. 

In |fT5l Noy, et al. proposes a single machine throughput 
maximization real time scheduling algorithm for n jobs 
where each job is associated with corresponding weight Wi 
which is the value/revenue of completed job and deadline 
di. Let for k batches, they have rij as batch size, Fj as 
family which is associated with processing time. Jobs with 
same processing time belong to same family and can be 
executed in the same batch. Their goal was to find a feasible 
schedule of batching several jobs of the same type together 
to maximize weight. This type of problems are referred to as 
real time scheduling problem and maximizing weight referred 
to as throughput. Authors suggested that if the number of 
families are fixed, then this type of problems can be solved as 
dynamic programming. For bounded batch size b they prove 
and conclude the problem be solved optimally where F is 
some constant value depends on weight of jobs. 

Theorem 2: batch, b, rj,F =const| J2wj(l — Uj) can 
be solved optimally in 0{n F +3F+3 log n) steps. 

In our batch scheduling mechanism, we can assume 2 
batches as verification part 1 and verification part 2 from 
different family Fj, because each batch is responsible for 
different types of computation as mentioned before. That is 
why, the batch scheduling problem can be solved optimally 
with dynamic programming with finite steps. 

We propose Algorithm 2 for signature verification part 
2, that is, to find out the optimum value of the number of 
signatures be batched at a time. 

For implementation, we consider 6 queues named 
M,B,K,Q,V,P. From the algorithm 1 we get the optimal 
schedule of signature verification part 1 and hence corre- 
sponding values Mi, Bi, Ki, Qi, and Vi in the respective 
named queues. Now we will consider the algorithm for veri- 
fication part 2 which is responsible for pairing computation 
and incur maximum time among all the computations. Our 
proposal is running two batches for verification part 1 and 
part 2 simultaneously as two threads. From the record, one 
can easily take decision on the optimized batch size b from 
Maximum completion time C ma x b and Maximum Lateness 
Lmaxb °f a batch. Therefore, the threshold value of batch size 
b should be chosen carefully to keep the batch verification 
system remain consistent, flexible and efficient. 

V. Security and Efficiency 

A. Security Analysis. 

The properties of IBGS [9] allow the vehicles to trans- 
mit/receive messages without leaking their identities. The 
tracing manager TSD can trace a forged identity and revoke 



Algorithm 2 Scheduling Verification part 2 

INPUT: Setup time Sb, Completion time C,, Due time di,6 

queues M, B, K, Q, V, P 

OUTPUT: (Batch size b , Max. Completion time C max b, Max. 
Lateness L rnax b- 

. FOR (6 = 2 to n) 

1) Pop i th value from M, B, K, Q, V, P and 

2) Calculate 77 = eQlLi B ; , B) efllti K i' k t) 

e(nliQi,s)nL^ 

3) Calculate fi = -=i M i 

4) Check fi = 77. If successful then: 

- Push the result of 77 into queue P for future use. 

- Set operation time of batch size b as 6 t 

- Calculate Maximum Completion time of a batch 

Cmaxb • &b ~t~ ~t~ Cmax 

- Calculate Maximum Lateness of a batch 

Lmaxb • — C rt i a x h di—\ 

- Record (b, C maXb , L maXb ). 

5) Else if /it 7^ rj, report batch error and Exit. 

6) Continue until Queues: M, B, K, Q, V become 
empty. 



the certificate of an anonymous vehicle. To meet the aforemen- 
tioned security requirement, in J5) it is shown that IBGS group 
signature scheme is correct, anonymous, traceable, and non- 
frameable. The scheme is correct as the message generated 
by vehicles will always be accepted by other vehicles and 
hence guide vehicles for potential improvement of traffic 
safety and efficiency. If a vehicle is not registered with MVD , 
revocability, liability and scalability, it cannot create messages 
even if the cheating vehicle is allowed to access valid messages 
thorough VANET. An attacker cannot cheat other vehicles even 
by forging a new valid message or modifying a valid message. 
This ensures the scheme's liability. 

The scheme is non-frameable as no party except the MVD 
can produce a signature that can be accepted by the verification 
procedure. This strong security notion guarantees that if a 
message is accepted as valid,it must have been generated 
by single registered vehicle and not have been tempered 
with since it was sent. The originators of valid messages 
are anonymous which means an attacker cannot decide the 
message originator with a probability non-negligibly greater 
than 1/2. A trusted third party called TSD can trace the 
anonymous generator of any valid message. No group member 
or set of colluding members can generate a group signature 
accepted by the verification procedure which is not linkable 
to the actual signer. 

B. Efficiency Analysis. 

We compare batch verification with the earlier batch 
verification mechanism for IBGS |1| as both of them have 
the same goals and followed the same signature scheme. Our 
scheme provides the same security and privacy features with a 
faster verification mechanism. This is due to three reasons: (1) 



Our new signature size for the batch verification is less than 
the previous one; (2) We reduce number individual message 
verifications and batch verifications as well; (3) We propose a 
runtime batch scheduling algorithm for signature verification 
and an algorithm to find out the optimum size of the batch. 
First of all, the previous verification signature was: T' = 
T||(r4,r 6 ,r 8 )||(^^ 2 ,^ 3 ,^4,/35^6,/9 7 ,^)||5 where T = 
(T ,T 1 ,T 2 ,T 3 ,T 5 )\\(z a ,z 1 ,z 2 ,z 3 ,Z 1 ,Z 2 ,Z 3 )\\f\\C\\v 1 \\V 2 . 
Instead, we propose a simplified signature and assume it 
would be enough for batch verification. We selected the 
three most complex pairings parameters to pad the original 
signature, which will give the same functionality as well as 
less bandwidth and memory consumption. We propose the 
modified signature as: T' = T| |(/?4, (3$, /3g). Secondly, we 
have fewer pairing computations than the previous scheme. 
Our scheme has only 3 pairings in final verification while 
previous scheme had 11 pairings. Thirdly, we introduce a 
scheduling algorithm for the incoming signatures, which is 
very important for VANET environment, where sometimes 
messages/signatures are prioritized with weights and short 
deadlines. Finally, we propose an algorithm to explore the 
best possible batch size n for any specific environment by 
parallelizing the independently computationable components 
to set maximum signatures to be processed without any idle 
time between them. We believe that our algorithms can be 
implemented for other batch verification algorithms as well 
to find out the optimum number of signatures to be processed 
at a time in batch. However, as we used Small Exponent test 
for batch verification, we accept the probability of invalid 
signature 2 b , where is the security level iflOll . 

VI. Conclusion 

In group signature mechanisms usually large numbers of 
signatures need to be verified. Designing a batch verification 
mechanism partially addresses this problem, but batch verifica- 
tions need to be optimized as much as possible. In this paper 
we have presented an extremely efficient batch verification 
system from a IBGS group signature scheme for VANET 
environments. We have further presented a batch scheduling 
algorithm to accelerate batch verification. Our scheme not 
only provides the desired level of security requirements, but 
also is efficient in storage and computation. We believe it 
can be implemented in any ad hoc network with minimum 
resource constraints, especially in MANET environments. Our 
batch scheduling environment can be applied to any batch 
verification systems available. In future, we would like to 
evaluate the result on a large scale VANET testbed with 
varying different scheduling algorithms. 
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